Determination on LastPass for Harvard Kennedy School

As CIO for the Harvard Kennedy School, I have the unique responsibility of looking at best practices across industry, academia and government for best practices in maintaining the integrity and security of the school’s networks, as well as the data privacy of both the students and the faculty. Designing policy towards these ends requires multidimensional thinking as the causes for network intrusion are various, and the stakes potentially high.

With that in mind, I have recently been tasked to make the determination as to whether or not the use of password management software, such as LastPass or 1Password, should be made a requirement for all HKS students and staff.

In threat modeling for the HKS network, there are clear risks to the system in the forms of tampering, information disclosure and elevation of privilege. If an unauthorized user accesses the system, they have access to a wide range of services and networks. It is difficult to get in to the system, however it is not difficult to navigate laterally within it once it has been breached. This is a problem. However, I do not deem this to be a problem that is solved by the imposition of regulations that require the use of a password manager for students.

As such, I have decided not to make such a recommendation, and the reasons are as follows:

1. Centralized password repositories are prime targets for malicious hacking activity. 
2. Password managers are designed with convenience in mind more than security.
3. Two factor authentication is required to access ALL HKS systems, requiring individuals to protect their private internet accounts with a password manager is an infringement on their individual rights and preferences.

Prime targets: The facts is that the Kennedy School is a prime target of hacking. The school trains and produces future leaders in both the public and private sector every year. The fact that an adversary may wish to mine the data of a current HKS student who one day may become a public official, in hopes of one day having the capability to blackmail them, for example, is not as far-fetched of a concept as one might think. As well as this, much of the faculty at the school maintain highly placed ties in the US Government and in industry around the world. The theft of their data can be used in nefarious activities throughout many other networks and could cause severe damage.

With these realities, it seems to be a foolish security mechanism to contain all password data in the same place, with or without sophisticated encryption, and with or without each password being randomly generated by the application. Why one would do so must surely be for the purpose of convenience, which is not within the purview of IT administrators to govern or regulate.   

Convenience > Security: Students understandably experience difficulties maintaining and remembering their passwords as they are numerous across internet services. It is not common, nor proper, any longer for people to use the same password across services, and it is not uncommon for individuals to store passwords either in a word document of something of the sort on their computer itself, or to auto save passwords in their browsers. Both practices are unsafe, and the appeal of convenience of password managers is understandable. Password managers take great pains to protect the data given to them by using sophisticated end-to-end encryption. Of this there is no doubt. Unfortunately, however, the fact still remains that centrality is an inherent security vulnerability and that the most effective security measures are of distributed storage and alternative means of cataloging data (even securing them in physical locations that only the user knows of). There is always a balance between security and convenience and one must make up their own mind on where on the spectrum they wish to live. 

Infringement on individual rights and preferences: I believe it to be in line with Harvard’s ethics that we do not make anything mandatory that infringes on individual students’ preferences for PII management. It is perhaps acceptable to mandate that all students must use LastPass to manage their Harvard account passwords, however there simply aren’t enough Harvard accounts in general for this to be practical (it is not difficult to remember passwords if there are only a few ie. HarvardKey or XID), so it is not a practical policy.

Alternatives to solve the problem:

1. Require two-factor authentication for any and all products or services that interface with HKS networks or store HKS data.
2. Require password changes every semester for Canvas and Harvard Email.
3. Implement a ‘cyber awareness’ training module that is required at the beginning of every semester. It would consist of a 30 minute interactive multimedia program where threats such as phishing would be simulated. to raise awareness and set norms. Overall, having a better cyber awareness amongst the student body would be an effective, yet simple, policy.

Conclusions:

• LastPass and other password manager software and services are a largely safe and certainly convenient way to manage your passwords across services, randomize your passwords to be more complicated than is practical to retain in memory and conveniently access them through a single master password, which can even have 2 factor authentication to it itself. As a single unauthorized intrusion into the HKS network can cause severe damage if the user is significantly knowledgable or skilled, it is in the interest of HKS to do everything it can to ensure there is no unauthorized access to, or distribution of, students’ passwords.
• That being said, it is in my judgement that as CIO I can not make the use of such services mandatory as it stretches into broader online lifestyle decisions which must only be made by the individuals themselves, not by the school.
• We will continue to take security very seriously at HKS, and  we will continue to pursue other avenues of maintaining the integrity of our networks and data.